W2K_FileSystem.shtml

Subject: Issues with Windows 2000 Encrypting File System and Disk Wipe
TO: <bugtraq@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com>

Microsoft has released a new tool to address issues with Encrypting File System under Windows 2000 found by Colman Communications Consulting.

Disclaimer
The information contained within this advisory is provided as is with no warranty of fitness implied or otherwise. By making use of the information you agree to do so entirely at your own risk and indemnify Colman Communications Consulting Pty Ltd against any damage which may result.

Synopsis
The vulnerabilities present in EFS are summarised thus:
1. Files which are moved into an encrypted folder, or are present as plain text prior to a directory being encrypted, have a plain text copy made. In addition plain text fragments of the original will also persist.

2. Third party disk wipe products do not effectively "zero" unused disk space under Windows 2000.

Additional information and advice on how to mitigate these risks is provided
below.

Plain Text Copies
When files which were previously in plain text are encrypted using EFS, either by encrypting the file or the directory the file is in, or by moving the file into a directory with EFS applied, a plain-text (as distinct from cipher-text) copy of the file is made on the disk. In addition to this plain-text fragments of the original file may also persist.

In the case of the plain text copy this occurs because Windows 2000 takes a temporary backup copy of the file prior to encryption to ensure that it can recover the file should a system error occur whilst the file is being encrypted. In terms of the file fragments this is simply a reflection of the standard operation of most operating systems where "deleted" files are not actually overwritten, but simply de-allocated.

Depending on the usage of the system this presents the possibility that the plain text copy and plain text fragments of the original file could persist on the system's disk until such time as the system has a need for the space and overwrites the data contained there.

Access to the plain text copy or fragments could be achieved by anyone who is able to obtain physical access to the disk, and can mount the disk into another system. Access to the plain text copy could also be achieved by an "Administrator" who is able to load a device driver to speak directly to the disk.

When EFS is used in the recommended manner, that is files are only created inside folders with EFS enabled the problem of plain-text copies and fragments does not occur.

Organisations that are using EFS to help mitigate the risk of physical security of systems should be aware of this issue and act in accordance with the recommended mode of operation, and our advice below.

Disk Wipe Products Fail To Wipe Disk The issue described above is compounded by the fact that most third party disk wipe products do not wipe the disks of Windows 2000 systems.

This effectively means that users are unable to clear plain text copies of files they thought were encrypted, as well other material they thought they had deleted, by using disk wipe products.

Organisations that are making use of disk wipe products to manage risks related to "deleted" data under Windows 2000 should be aware of this issue and act in accordance with our advice below, and that provided by Microsoft.

Advice on Mitigating Risk
Colman Communications Consulting has worked with Microsoft to have these issues addressed. This work has resulted in a commitment from Microsoft to place emphasis the behaviour of EFS and writing a tool which can be used to wipe unused disk space on Windows 2000 systems.

If you are using EFS then you should ensure that:
- Your users are educated on the correct manner of operating EFS so as to prevent the proliferation of plain text copies.
- You install and run the cipher.exe tool on your systems to ensure that any plain text copies and other sensitive "deleted" information is zeroed.

The new version of cipher.exe along with install instructions was orginally posted at:
http://www.microsoft.com/technet/security/cipher.asp

At the time of posting this page is temporarily unavailable due to a revamp of the Microsoft Technet Area. However, the related Microsoft Knowledge
Base Article can be found at:
http://support.microsoft.com/support/kb/articles/Q298/0/09.ASP



Credits


This advisory with additional advice for Australian Commonwealth Government Agencies can be found at:
http://www.colmancomm.com/news/20010612efs.htm

Additional notes from Colman Communications Consulting on using EFS can be found at:
http://www.colmancomm.com/resources/EFS_Guidelines.htm

Colman Communications Consulting is based in Canberra, Australia, and specialises in IT Security for Industry and Government.

Date: June 27, 2001